India’s Ministry of Electronics and Information Technology (MeitY) was expected to introduce its comprehensive data protection law in Parliament’s 2018 winter session but has been conducting consultations. The law is now expected to be introduced later this year. However, policymakers appear to be jumping the gun: While that law is being prepared, sections of the government have rapidly undertaken other initiatives that directly impact privacy. Problematically, these initiatives could severely undermine privacy and free speech (often two sides of the same coin) through undue government surveillance, and discourage Indians from participating in the digital economy, which would hamper investment and innovation in India from Indian and international companies.
One such initiative comprises a dramatic and problematic expansion of intermediary liability: a set of amendments to India’s Information Technology Rules, which could require technology platforms – many of which offer complete encryption to protect user privacy – to assist the government, including by breaking that encryption and tracing individuals (who posted content on the platform) for strikingly broad and ambiguously defined reasons: “concerning security of the State or cyber security or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.”
Further, a phrase in the amendments suggests that even the aforementioned reasons need not apply. That is, it suggests the government can demand assistance, including traceability, for any reason. The amended language states: “[T]he intermediary shall… provide… assistance… as asked for by any government agency or assistance concerning security of the State or cyber security or investigation…” The phrase “or assistance” suggests that a connection to the articulated reasons (security of the State and so on) is optional. Unless this phrase is merely a typographical error that gets corrected during review, it risks eviscerating – not just hampering – privacy, free speech, and investment in India.
Additionally, these amendments compel platforms to provide assistance at the request of any government agency. Specifying one or a couple of agencies could help mitigate the likelihood of undue surveillance. Critically, the amendments do not appear to make clear whether the requesting agency requires a court order, even though judicial scrutiny can help prevent government overreach, as the report accompanying MeitY’s draft data protection bill astutely acknowledged.
The amendments also require intermediaries to proactively identify and remove “unlawful” content from their platforms. However, this proposal does not clearly define “unlawful”; does not consider that this practice could constitute platforms breaching the privacy they promised their users; and ignores the policies and reporting mechanisms many platforms already implement to tackle inappropriate material.
A second concerning initiative the government has undertaken is the Ministry of Home Affairs’ recent order that gives 10 government agencies authority to intercept, monitor, and decrypt “any information gathered, transmitted, received, or stored in any computer.” This extraordinarily broad language suggests constant and unconditional surveillance of essentially one’s entire digital presence and has triggered serious concerns among consumers, businesses, and activists. However, it is unclear if the order intended to expand the surveillance powers that long-established laws provide the government, or merely articulate which agencies can exercise those powers. The Supreme Court of India, in response to a petition filed by privacy activists, is evaluating the order and has asked the government to submit its views.
A third concerning initiative is the government’s decision to amend – without stakeholder consultation – the Aadhaar Act in response to the Supreme Court’s September 2018 decision regarding Aadhaar, India’s biometric ID system. Multiple amendments could face legal challenges as they arguably contravene aspects of the Supreme Court’s decision and undermine privacy. For example, in the context of government surveillance, the Supreme Court’s decision noted that a government request for an individual’s personal information on national security grounds should be subject to judicial scrutiny. The amendments, however, do not require judicial scrutiny.
Undertaking such initiatives separately from and before the data protection law emerges means they will not benefit from the long-running and wide consultations MeitY has conducted on similar issues for the data protection law. It also risks creating a fragmented landscape with conflicting or unclear obligations.
Policymakers involved with such initiatives should therefore synchronize their efforts with the data protection law as or after it is developed, or at the very least, consult meaningfully with a diverse range of stakeholders including industry representatives and consumers, all of whom may be able to contribute critical insights that can help align the goals of policymakers, businesses, and consumers.
Nikhil Sud is a Regulatory Affairs Specialist with Albright Stonebridge Group’s South Asia practice.